godot-dialogue-system
Warn
Audited by Gen Agent Trust Hub on May 27, 2026
Risk Level: MEDIUMREMOTE_CODE_EXECUTIONDATA_EXFILTRATIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The
load_dialoguefunction inscripts/dialogue_manager.gd(and associated documentation inSKILL.md) utilizes Godot'sload()function with a dynamic string path. Since Godot resources can contain script components, this pattern allows for arbitrary code execution if the path points to an untrusted or attacker-controlled resource file. - [REMOTE_CODE_EXECUTION]: The
DialogueOptionresource defined inscripts/dialogue_option_data.gdincludes acondition_scriptfield intended for storing GDScript snippets. This design facilitates dynamic code evaluation at runtime, which poses a severe risk if the dialogue resources are sourced from external or unverified origins. - [DATA_EXFILTRATION]: The
load_dialogue_graphfunction inscripts/dialogue_engine.gdusesFileAccess.open()with a user-providedfile_path. Without explicit path validation or restriction to theres://oruser://scopes, this implementation allows for Local File Inclusion (LFI), potentially exposing sensitive system files to the application. - [COMMAND_EXECUTION]: The
_on_line_startedfunction inscripts/dialogue_event_bridge.gdemits global signals based on theevent_signalmetadata property of dialogue nodes. This allows for logic injection where a malicious dialogue file can trigger sensitive internal game functions through theGlobalBussignal system. - [PROMPT_INJECTION]: The dialogue engine processes narrative data containing execution triggers (like
[trigger:event]) without sanitization, creating a surface for indirect injection. - Ingestion points:
load_dialogueinscripts/dialogue_manager.gdandload_dialogue_graphinscripts/dialogue_engine.gd. - Boundary markers: Absent; dialogue text and metadata are processed directly without delimiters or instruction-ignore guards.
- Capability inventory: Arbitrary resource loading via
load(), file system access viaFileAccess, and global signal broadcasting viaemit_signal(). - Sanitization: None; the BBCode parser in
scripts/dialogue_engine.gdremoves tags for display but does not prevent the underlying event signals from being fired.
Audit Metadata